FATEK Automation WinProladder

MonitorCVSS 7.8ICS-CERT ICSA-21-098-01Apr 8, 2021

FATEK

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FATEK WinProladder versions 3.30 and earlier contain a buffer overflow or memory corruption vulnerability (CWE-191) that allows arbitrary code execution if a user opens a specially crafted project file. The vulnerability is triggered during file parsing and requires no special privileges. FATEK is developing a fix. The vulnerability is not remotely exploitable; an attacker must trick a user into opening a malicious project file, typically via email or social engineering. Successful exploitation allows the attacker to run code with the privileges of the engineering workstation user, potentially compromising PLC configuration and control logic.

What this means

What could happen

An attacker with local access to a system running WinProladder could execute arbitrary code with the privileges of the user, potentially compromising PLC automation logic and control sequences.

Who's at risk

FATEK WinProladder is used by operators and engineers at water utilities, electric utilities, and manufacturing plants to program and manage FATEK PLC controllers. Version 3.30 and earlier are affected. This impacts anyone who uses FATEK automation systems to control pumping stations, tank levels, electrical distribution, or industrial processes.

How it could be exploited

An attacker must trick a user into opening a malicious project file (.pro or similar) in WinProladder. When the file is opened, a buffer overflow or memory corruption flaw is triggered, allowing code execution on the engineering workstation. This compromised workstation could then be used to modify PLC logic or download malicious code to connected controllers.

Prerequisites

Local access to the engineering workstation running WinProladder
User must open a malicious project file
Attacker must craft project file with buffer overflow payload
No special privileges or authentication needed on the engineering station

no patch availablelow complexity (user must open file, no special network or authentication required)affects engineering workstations which have access to live PLC systemssocial engineering / phishing attack vector

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

WinProladder:≤ 3.30No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDOnly open FATEK project files from trusted internal sources; do not open project files received via email or from untrusted URLs

HARDENINGRun WinProladder and all engineering workstations under least-privilege user accounts (non-administrator) to limit what malicious code can do if executed

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to a patched version of WinProladder when FATEK releases a fix

Mitigations - no patch available

0/1

WinProladder: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate WinProladder engineering workstations from general email and web browsing; use a dedicated air-gapped or restricted-access station for PLC programming

CVEs (1)

CVE-2021-27486

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2ad1629-4068-4cf1-9f6b-48f4363b05f0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.